[codex] Prototype Codex Apps as virtual HTTP MCP servers

[aibrahim-oai]

Summary

• add a codex-apps crate that snapshots the shared Apps upstream and serves one authenticated loopback streamable-HTTP MCP endpoint per connector
• return ordinary configured HTTP MCP registrations; MCP manager and core receive no Apps-specific launch branch
• add a generic validated, redacted runtime bearer facility for non-persisted HTTP credentials
• centralize connector naming and collision behavior, and protect loopback HTTP traffic from ambient proxies and unsafe redirects

Why

Codex Apps are currently special-cased across MCP management. This prototype tests a cleaner boundary: Apps owns connector inventory, virtual servers, local authentication, and lifecycle; MCP management uses the ordinary configured streamable-HTTP path.

This remains intentionally unwired. The legacy production path stays intact. A production cutover still requires moving connector policy and trust, auth elicitation, file handling, approval metadata, cache and refresh behavior, progress and server notifications, long-name compatibility, and upstream lifecycle behind shared Apps-owned APIs.

Security and lifecycle

• bind to 127.0.0.1:0
• use per-connector 256-bit bearer capabilities held in redacted, non-serializable runtime state
• reject browser Origin requests while retaining RMCP Host validation
• bypass proxies only for literal loopback endpoints and constrain redirects to loopback with a 10-hop maximum
• use stateless JSON RMCP plus consuming, cancelable shutdown

Validation

• just test -p codex-apps (4 tests)
• just test -p codex-mcp (94 tests)
• just test -p codex-connectors (32 tests)
• just test -p codex-utils-string (19 tests)
• just test -p codex-exec-server reqwest_http_client (4 focused tests)
• just fix -p for all five affected crates
• just fmt
• just bazel-lock-update
• just bazel-lock-check
• git diff --check